How to Collect Microsoft Teams Audit Logs | Office 365 Management API
Step-by-step guide to ingesting Microsoft Teams audit logs using the Office 365 Management Activity API. Monitor meetings, channel activities, app installations, and team management.
4 minute read
Overview
Microsoft Teams audit logs capture team activities, meeting events, channel operations, and app management in your Microsoft 365 environment. Use this guide to monitor collaboration activities, track meeting participation, audit team membership changes, and maintain compliance records.
Common Use Cases:
- Monitor team creation and membership changes
- Track meeting join/leave events and recordings
- Audit channel creation and message policy compliance
- Detect unauthorized app installations
- Monitor guest access and external collaboration
Requirements: Edge Delta Agent v2.6.0+ and unified audit logging enabled in your Microsoft 365 tenant.
Prerequisites
Before configuring Edge Delta, complete the Office 365 Management API setup:
- Enable unified audit logging in Microsoft Purview compliance portal
- Register an Azure AD application with Office 365 Management APIs permissions
- Grant the
ActivityFeed.Readpermission and obtain admin consent - Start the Audit.General subscription (one-time setup)
Content Type: Teams events are included in the
Audit.General content type, which also includes Power BI, Dynamics 365, and other Microsoft 365 services.For detailed setup instructions, see Office 365 Management API Integration.
Start General Subscription
Run this command once to enable Teams audit log collection:
# Get OAuth token
TOKEN=$(curl -X POST "https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token" \
-d "client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&scope=https://manage.office.com/.default&grant_type=client_credentials" \
| jq -r '.access_token')
# Start General subscription (includes Teams)
curl -X POST "https://manage.office.com/api/v1.0/{TENANT_ID}/activity/feed/subscriptions/start?contentType=Audit.General&PublisherIdentifier={TENANT_ID}" \
-H "Authorization: Bearer ${TOKEN}"
Configuration
Basic Teams Audit Collection
nodes:
- name: teams_audit_logs
type: http_pull_input
endpoint: https://manage.office.com/api/v1.0/YOUR_TENANT_ID/activity/feed/subscriptions/content
method: GET
pull_interval: 5m
authorization:
strategy: oauth_client_credentials
client_credentials:
token_url: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
scopes:
- https://manage.office.com/.default
header_templates:
- header: Authorization
value: Bearer $ACCESS_TOKEN
parameters:
- name: contentType
value: Audit.General
- name: PublisherIdentifier
value: YOUR_TENANT_ID
parameter_expressions:
- name: startTime
value_expression: FormatTime(Now() - Duration("6m"), "%Y-%m-%dT%H:%M:%SZ")
- name: endTime
value_expression: FormatTime(Now() - Duration("1m"), "%Y-%m-%dT%H:%M:%SZ")
pagination:
url_json_path: contentUri
response_format: json
max_parallel: 3
inherit_auth: true
error_strategy: continue
Teams Audit Operations
Team Management
| Operation | Description |
|---|---|
TeamCreated | New team created |
TeamDeleted | Team deleted |
TeamSettingChanged | Team settings modified |
MemberAdded | User added to team |
MemberRemoved | User removed from team |
MemberRoleChanged | User role changed (owner/member) |
Channel Operations
| Operation | Description |
|---|---|
ChannelAdded | New channel created |
ChannelDeleted | Channel deleted |
ChannelSettingChanged | Channel settings modified |
Meeting Operations
| Operation | Description |
|---|---|
MeetingStarted | Meeting started |
MeetingEnded | Meeting ended |
MeetingParticipantJoined | User joined meeting |
MeetingParticipantLeft | User left meeting |
RecordingStarted | Meeting recording started |
RecordingStopped | Meeting recording stopped |
App Management
| Operation | Description |
|---|---|
AppInstalled | App installed in team |
AppUninstalled | App removed from team |
BotAddedToTeam | Bot added to team |
Guest Access
| Operation | Description |
|---|---|
GuestUserAdded | External guest added |
GuestUserRemoved | External guest removed |
GuestAccessEnabled | Guest access policy enabled |
Sample Teams Audit Log
{
"CreationTime": "2024-01-01T10:00:00",
"Id": "teams-audit-guid",
"Operation": "MemberAdded",
"OrganizationId": "org-guid",
"RecordType": 25,
"UserType": 0,
"Workload": "MicrosoftTeams",
"UserId": "admin@company.com",
"TeamName": "Engineering Team",
"TeamGuid": "team-guid",
"Members": [
{
"UPN": "newmember@company.com",
"Role": "Member",
"DisplayName": "New Member"
}
],
"AddOnName": null,
"CommunicationType": "Team"
}
Meeting Event Sample
{
"CreationTime": "2024-01-01T14:00:00",
"Id": "meeting-audit-guid",
"Operation": "MeetingParticipantJoined",
"Workload": "MicrosoftTeams",
"UserId": "user@company.com",
"MeetingId": "meeting-guid",
"MeetingType": "Scheduled",
"Attendees": [
{
"UPN": "user@company.com",
"Role": "Presenter"
}
],
"CommunicationType": "GroupCall"
}
Key Fields for Analysis
| Field | Description | Use Case |
|---|---|---|
Operation | Action performed | Identify activity type |
Workload | Should be “MicrosoftTeams” | Filter Teams events |
UserId | Who performed the action | Attribute activity |
TeamName | Team display name | Identify target team |
Members | Affected users | Track membership changes |
CommunicationType | Team, GroupCall, etc. | Classify event type |
High-Value Operations to Monitor
| Operation | Risk Level | Description |
|---|---|---|
GuestUserAdded | High | External user access granted |
TeamDeleted | High | Team and data deleted |
AppInstalled (unknown) | Medium | Third-party app installed |
MemberRoleChanged (to owner) | Medium | Privilege escalation |
ChannelDeleted | Low | Channel removed |
Filtering Teams Events
Since Audit.General includes multiple workloads, filter for Teams events in your downstream processing:
# Filter criteria:
# Workload == "MicrosoftTeams"
# RecordType == 25 (Teams operations)
Common RecordTypes for Teams:
25- General Teams operations28- Teams meeting events30- Teams call events
Troubleshooting
| Issue | Solution |
|---|---|
| No Teams events | Verify Audit.General subscription is started |
| Mixed workloads | Filter by Workload: MicrosoftTeams |
| Missing meetings | Meeting auditing may require Teams Premium |
| 401 Unauthorized | Check client credentials and tenant ID |
| 403 Forbidden | Ensure ActivityFeed.Read permission has admin consent |
Related Pages
- Office 365 Management API Overview - Complete API reference
- Exchange Audit Logs - Email monitoring
- SharePoint Audit Logs - File activity monitoring